The ability to perform E-Commerce over the Internet has become the driver of the new digital economy. As it has opened up opportunities for businesses and consumers to conduct online transactions on a 24/7 basis, at the same time, it has also opened new opportunities for hackers to exploit the medium for nefarious cyber attacks. This paper discusses various potential security holes that exists in the e-commerce environment and suggests a framework to protect organizations from security breaches.
The Internet, which currently connects more than 300 million computers and 500 million users, is vulnerable to security breaches as indicated in numerous instances in recent times (Internet Users Report, 2007). Online fraud threatens to undermine consumer confidence in online financial services. Beyond simple phishing schemes, significant new threats are posed by spyware, browser hijacking, keystroke logging, and remote administration tools (Shukla & Nah, 2005). The Internet has the capacity to reduce global barriers and is becoming a fast and viable medium for conducting global business. As traditional businesses continue their migration into e-commerce, security will become a central issue to be seriously addressed. Even as organizations are looking at ways to strengthen the security of their networks and services, hackers all around the world are continuously discovering new vulnerabilities and inventing malicious breaches. Organizations who offer e-commerce are quite concerned about security breaches as it lessens the confidence of consumers and businesses in the privacy and integrity of online transaction and therefore their willingness to conduct business online (Araujo & Araujo, 2003). Numerous vulnerability scanners and intrusion detection systems have been developed and implemented but systems still seems to be susceptible to many attacks.
Attacks on computer systems are becoming much more sophisticated—and potentially devastating—than in the even recent past. A variety of security breaches take place in today’s world and are often not reported by organizations looking to safeguard their own interests. The Computer Security Institute report (2007) reports that the average annual loss reported by U.S. companies in the 2007 CSI Computer Crime and Security Survey more than doubled, from $168,000 in last year’s report to $350,424 in this year’s survey (Gordon, Loeb, Lucyshyn, & Richardson, 2006). The 2007 Global Security Survey (2007) for financial institutions by Deloitte indicates that e-commerce security attacks are increasing. GeoTrust, Inc. reports that significant new threats are posed by spyware, browser hijacking, keystroke logging, and remote administration tools for various types of online fraud (GeoTrust Report, 2007). The companies responding to these surveys indicated that information security spending by financial institutions continues to rise. Almost all respondents (98%) indicate increased security budgets, with 11 percent reporting an increase of over 15 percent over 2006. The report indicated that the security budgets increased from 14 percent in 2006 to 36 percent in 2007 (Deloitte Report, 2007). The Federal Financial Institutions Examination Council (FFIEC) also issued new guidance for new multi-factor authentication methods with identity verification best practices and consumer trust components for more effective and reliable means for authenticating end users (GeoTrust Report, 2007).
Despite the increased awareness, the recent frequency of security breaches seems to indicate that many companies have not adequately responded to the issue of data security within their organizations. New regulations and statutes are sure to get some attention, but the pressure to mitigate data security risks certainly increases. Interest in security is increasing and shareholders expect organizations to use proactive security measures to protect their value (Caralli & Wilson, 2004). Customers also expect the organizations with whom they conduct business online also expect a higher level of protection of their personal data. News reports of high-profile attacks on well-known Web sites do have an adverse impact on consumer confidence.
Key Terms in this Chapter
E-Commerce: Conducting traditional business transactions over an electronic or online medium.
Defence-in-Depth: Multiple layers of information security measures, a necessary requirement for securely conducting e-commerce. A defence-in-depth strategy often involves the use of hardware devices (e.g., firewalls), software (e.g., intrusion detection systems), process (e.g., audit of user accounts), and user training (e.g., security awareness training).
Self-Defending Capability: The ability of networks to respond to threats and attempted security breaches in an automated fashion and without human intervention.
Internet Access: Any mechanism to communicate over the Global Internet; a critical requirement for conducting e-commerce.
Online Environment: The environment used to conduct electronic transactions.
Security Breach: A compromise of the online environment where data and/or transactions are made available or known to unauthorized parties.